IPOffice as a Session Manager branch gateway

[auskar85]

Does anybody succeeded in implementing IP Office as a branch gateway with Session Manager? I'm getting error message:

Sync "System Configuration" on IP Office "test" by user "admin" for Job ID "59902dad-85ca-47c0-895d-3af27be4a4f2" failed. Cause of failure: "Retries 3 times. Device seems to be taking longer time, it might be buggy. Error message from device : connect timed out"

I'm new with Session Manager.
I'm not fully sure how IP Office should work exactly in such scenario.

 

[kyle555]

Yea. We've done several.

Basically, you've got:
-System Manager administering IP Office
-SIP trunks from IPO to Session Manager

You can do it without any SIP trunks and just use System Manager as a central point of administration of separate, unique IP Offices - like if you wanted to have one point of administration for 100 IPOs at 100 small retail stores that have no connections between them.

You can also do it with a core CM with SIP sets and in the "Session Manager" profile, have the "Survivability Server" for those SIP phones be the IP Office. The phones would only register to the IPO in the event of being unable to reach the CM/SM core.

It isn't clean or tidy though. You need to load the IP Office Manager application into System Manager. You need to set the IP Office up for "Central Management" - where only System Manager can log in to IP Office.

Start with "Reference Configuration for Avaya IP Office in a Branch Environment" and go from there! But suffice to say, it does work. I'd try to be at the latest and greatest of everything if possible.

 

[auskar85]

Thank for your reply. I'm trying to configure according to "Deploying IP Office as an Enterprise Branch with Avaya Aura® Session Manager".
However i'm not getting certificate "Generated" :
"After the page refreshes, the status of the End Entity changes from New to
Generated. This indicates the End Entity certificate exchange has occurred".
I'm only getting status New in List/Edit end entities.
You said i can do without SIP trunks, but as i understand, it is necessary to add SM line (not SIP line) to configure Centralized branch?

 

[kyle555]

For your certificate stuff, make sure System Manager's enrollment password hasn't expired.

And yes, you need a SM line for "centralized branch" - you'll have your call processing done by a core CM but you'll need that line to leverage getting calls from the core out that IPO, or to take DIDs on a circuit on that IPO and ship those calls to the core for processing.

 

[auskar85]

Why do i need enrollment password? It shows: Time Remaining:00 hour 00 mins.
I typed password in "Add end entity" tab in SM, the same password in "SCEP Password" line in IP office manager.
Where this enrollment password should match other side?

 

[kyle555]

The enrollment password must be valid in SMGR.

It sets up System Manager's certificate authority to permit Simple Certificate Enrollment Protocol (SCEP).

You'll put the matching password in the IPO, the IPO will send a certificate signing request for its FQDN - myIPO.mycompany.com for example - and System Manager will sign that certificate.

Then, if/when you build TLS trunks to Session Manager, that TLS link at either end will use the certificate issued to yoursessionmanager.yourcompany.com and myIPO.mycompany.com. Both of those certificates will be signed by the same issuing authority (System Manager) and you'll have a secure SIP connection.

The whole thing applies as well for the management link between System Manager and your IPO.

 

[auskar85]

Are you sure you are not mixing up with entity password? It's not mentioned in documentation.

 

[kyle555]

No, I'm pretty sure about what I'm saying regarding the "Enrollment Password".

I've never seen an "Entity Password" - though I have seen entities defined as "Trusted" or not.


I would bet that you absolutely need a valid "Enrollment Password" defined in SMGR so that your IPO may send a certificate request to be signed by the SMGR and that the resulting certificate is used for TLS SIP trunks and management purposes thereafter between your IPO and the Aura core.

 

[auskar85]

Preparing System Manager to issue an identity certificate
for IP Office
About this task
Use this procedure to add an IP Office End Entity to System Manager. This procedure adds
the IP Office to the System Manager trust domain and is required to establish a trust
relationship between the IP Office and System Manager.
Procedure
1. From the System Manager console, under
Services, select Security.
2. On the Security page, in the left navigation pane, select
Certificates >
Authority.
3. In the left navigation pane, click
Add End Entity.
4. On the
Add End Entity page, do the following:
a. In the End Entity Profile drop-down box, select
INBOUND_OUTBOUND_TLS.
b. In the Username field, enter the name of the IP Office system.
c. In the Password field, enter a certificate password.


It is from documentation: Deploying IP Office as an Enterprise Branch with Avaya Aura ® Session Manager

Password is under "Add end Entity", but i will try with Enrollment password as you suggested.

 

[auskar85]

I don't know what i am doing wrong. I entered enrollment password, and nothing happens, status is still new. Can i change it manually to generated? What should i enter in FQDN field when adding IP Office as an entity?

 

[kyle555]

Keep at it!

fqdn in SMGR entities I would think is the hostname/fqdn you defined on the IPO.

 

[auskar85]

Its little tricky with order of steps. Are certificates mandatory before file synchronization takes place? Can SM line be configured before file synchronization, or i should always add SM line later?

 

[kyle555]

I'm not entirely sure about the sequence of steps. I would think that the whole idea would be that you pre-stage the IPO according to a template in System Manager, define that trusted entity/hostname/FQDN/enrollment password, and when that IPO comes online and does its initial configuration, it enrolls and grabs certificates and then pulls down the central config you defined.

 

[auskar85]

Do i need special licenses apart SIP trunk channels? In system events, i get: "IP Address: 172.16.x.x, Port:10162, Format: SMGR, Community:, Severity: Major Invalid Card, Free Capacity, Generic, Licence Server Failure, License Key Fail"
I'm using ADI licensing.
I didn't configured SNMP, however system event destination is under SNMP traps.

 

[auskar85]

Succeeded in file synchronization. But certificates still are not generated.

 

[kyle555]

I've only done it with WebLM licensing. We needed Essential Edition, SIP trunk channels and "Centralized IP Endpoints" to add users in the way we wanted.

Maybe during your initial setup you did something to look for WebLM licensing and not ADI/SD card based licensing?

 

[auskar85]

IP address of WebLM is entered on IP Office, but Enable remote Server is unchecked.
Do i need certificates for SM line based on TCP, or only for TLS lines?
I'm trying to add User in SM. Under IP office Endpoint Profile i get errors:
1. To create an IP Office user with Analog or Digital Set Type, please chack the "Use Existing Extension" option or select valid Module-Port option.
2. Selected extension is already in use or is invalid.
If i check Use Existing Extension checkbox, only second error appeares. I'm not successful in getting Module-Port dropdown box to become active.

 

[auskar85]

I think it could be licensing problem, but SM should mention that. On IP Office i can select user as centralized, but maybe without licenses it is displaying: "Selected extension is already in use or is invalid"?

 

[auskar85]

I deleted user in IPOffice. But now I'm getting only "Module-Port is mandatory for Centralized user having Analog extension" error.
But I cannot choose under Module-Port, it is empty.

 

[auskar85]

I came back after holiday, and boom. It is working (certificate is generated). All was changed, was enrollment password was expired. I don't know if it has to be expired, or it has not to be entered at all.